CVE-2025-22027 in Linux Kernel
Sumário (Inglês)
In the Linux kernel, the following vulnerability has been resolved: media: streamzap: fix race between device disconnection and urb callback Syzkaller has reported a general protection fault at function ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer dereference of dev->raw pointer, even though it is checked for NULL in the same function, which means there is a race condition. It occurs due to the incorrect order of actions in the streamzap_disconnect() function: rc_unregister_device() is called before usb_kill_urb(). The dev->raw pointer is freed and set to NULL in rc_unregister_device(), and only after that usb_kill_urb() waits for in-progress requests to finish. If rc_unregister_device() is called while streamzap_callback() handler is not finished, this can lead to accessing freed resources. Thus rc_unregister_device() should be called after usb_kill_urb(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Responsável
Linux
Reservar
29/12/2024
Divulgação
16/04/2025
Inscrições
| ID | Vulnerabilidade | CWE | Base | Temp | 0day | Hoje | Exp | KEV | EPSS | CTI | Con | CVE |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 305082 | Linux Kernel streamzap ir_raw_event_store_with_filter Condição de Corrida | 362 | 4.6 | 4.4 | $0-$5k | $0-$5k | Não definido | 0.00083 | 0.00 | Correção oficial | CVE-2025-22027 |